Method and Apparatus of Identifying User Risk

ABSTRACT

The present disclosure provides techniques to identify suspicious user logins. These techniques may include acquiring, by a computing device, a routing path associated with a user login based on login information. The computing device may extract current routing characteristic information from the routing path, and identify whether the current user login is suspicious based on the current routing characteristic information. These techniques reduce the influence of IP address changes on user identification as well as errors associated with user identification, and identify geographic positions more accurately.

CROSS REFERENCE TO RELATED PATENT APPLICATIONS

This application claims priority to Chinese Patent Application No.201210258816.5, filed on Jul. 24, 2012, entitled “Method and Apparatusof Identifying User Risk,” which is hereby incorporated by reference inits entirety.

TECHNICAL FIELD

The present disclosure relates to online security and, morespecifically, to identifying risk associate with user identities.

BACKGROUND

Online identity theft has become a serious problem for the Internetservices. Online identity theft causes not only monetary losses to usersbut also harmful consequences to users (e.g., illegal conduct by a thirdparty). Accordingly, service providers desire to find an efficient wayto identify a user account at risk (i.e., suspicious user accounts) butalso to allow legitimate user activities.

In general, it's difficult for service providers to confirm thecredibility of users who currently log in. To accurately identifywhether a user account is suspicious, the service providers maydetermine whether the user account is logged in non-locally. Undertraditional technologies, a service provider determines whether a loginis a non-local login by selecting a geographic position corresponding toan IP address used when the user logs in.

This techniques, however, has various defects. First, a network operatormay change its own IP address pool. For example, IP address allocationamong cities may lead to identify a legitimate user as an illegal user.Thus, the identification error rate is relatively high. Second, ageographic position identified by the method of the technique isrelatively rough and generally only may be accurate when logins areconducted in different cities. For example, if a third party steals anidentity of a user, and logs in in the same city that the user used tolog in (e.g., using a proxy server), the risk may not be identified.

Accordingly, an urgent problem needing resolution involves identifyinguser risk and reducing the influence of an IP address change associatedwith identification of the user risk. There is also a need to reduceerror rates associated with the risk user identification, and identifygeographic positions more accurately.

SUMMARY

A technical problem to be solved by embodiments of the presentdisclosure is to identify user risk and to reduce the influence of an IPaddress change associated with identification of the user risk.Embodiments of the present disclosure also reduce error rates associatedwith the risk user identification, and identify geographic positionsmore accurately.

Embodiments of the present disclosure also relate to methods foridentifying that a user login is suspicious. The methods may includeacquiring, by a server, a routing path logged in by a user based onlogin information of the user. Based on the routing path, the server mayextract current routing characteristic information from the routing pathlogged in by the user, and then identify whether the current login issuspicious based on the current routing characteristic information.

In some embodiments, the login information of the user includes a useridentity, information of a client terminal where the user initiates alogin request and information of a server that receives the loginrequest. The acquiring a routing path logged in by a user based on logininformation of the user includes sending a routing discovery message tothe client terminal by the server, feeding back routing node informationhop-by-hop by a router receiving the routing discovery message, andcollecting the routing node information by the server to generate acurrently logged-in routing path corresponding to the user identity.

In some embodiments, the login information of the user includesinformation of a client terminal where the user initiates a loginrequest and information of a server that receives the login request. Theacquiring a routing path logged in by a user based on login informationof the user includes sending a routing discovery message to the serverby the client terminal, feeding back routing node information hop-by-hopby a router receiving the routing discovery message, and collecting therouting node information by the client terminal to generate a currentlylogged-in routing path corresponding to the user identity.

In some embodiments, the extracting current routing characteristicinformation from the routing path logged in by the user includesextracting information of a key router from the routing path logged inby the user, wherein the information of the key router is information ofa router with a traffic greater than a preset threshold, and organizingthe information of the key router to form current routing characteristicinformation.

In some embodiments, the identifying whether the current user logs innon-locally based on the current routing characteristic informationincludes querying historical routing characteristic informationcorresponding to the user identity, and comparing whether the historicalrouting characteristic information and the current routingcharacteristic information are the same. If the historical routingcharacteristic information and the current routing characteristicinformation are not the same, the server may determine that the login issuspicious.

In some embodiments, the login information of the user also includes amachine identity. The identifying whether the current user logs innon-locally based on the current routing characteristic informationincludes presetting a legal correspondence table of a machine identityand a user class, and determining whether the user identity and themachine identity are present in the legal correspondence table of themachine identity and the user class. In these instances, the user classis a cluster of the user identity with the same path characteristicinformation. If the user identity and the machine identity are notpresent, the server may determine that the login is suspicious.

Embodiments of the present disclosure also relate to devices foridentifying that a user is suspicious. The device may include a routingpath acquisition module, a current path extraction module, and a riskjudgment module. The routing path acquisition module is configured toacquire a routing path logged in by a user based on login information ofthe user. The current path extraction module is configured to extractcurrent routing characteristic information from the routing path loggedin by the user. The risk judgment module is configured to identifywhether the current login is suspicious based on the current routingcharacteristic information.

In some embodiments, the login information of the user may include auser identity, information of a client terminal where the user initiatesa login request, and information of a server which receives the loginrequest. The routing path acquisition module may include a routingdiscovery message sending sub-module configured to send a routingdiscovery message to the client terminal, a collection sub-moduleconfigured to collect routing node information fed back hop-by-hop by arouter receiving the routing discovery message, and a path generationsub-module configured to generate a currently logged-in routing pathcorresponding to the user identity.

In some embodiments, the login information of the user may includeinformation of a client terminal where the user initiates a loginrequest and information of a server which receives the login request.The routing path acquisition module may include a routing discoverymessage sending sub-module configured to send a routing discoverymessage to the server, a collection sub-module configured to collectrouting node information fed back hop-by-hop by a router receiving therouting discovery message, and a path generation sub-module configuredto generate a currently logged-in routing path corresponding to the useridentity.

In some embodiments, the current path extraction module may include auser login routing path extraction sub-module configured to extractinformation of a key router from the routing path logged in by the user.In some instances, the information of the key router is information of arouter with traffic greater than a preset threshold, and a key routerinformation formation sub-module configured to organize the informationof the key router to form current routing characteristic information.

In some embodiments, the risk judgment module may include a useridentity query sub-module configured to query historical routingcharacteristic information corresponding to the user identity, and arouting characteristic information comparison sub-module configured tocompare whether the historical routing characteristic information andthe current routing characteristic information are the same. If thehistorical routing characteristic information and the current routingcharacteristic information are not the same, the server may determinethat the login is suspicious.

In some embodiments, the login information of the user may also includea machine identity. The risk judgment module may include a user identityclustering sub-module configured to preset a legal correspondence tableof a machine identity and a user class, wherein the user class is acluster of the user identity with the same path characteristicinformation, and a user identity and machine identity judgmentsub-module configured to determine whether the user identity and themachine identity are present in the legal correspondence table of themachine identity and the user class. If the user identity and themachine identity are not present, the server may determine that thelogin is suspicious.

Compared with conventional techniques, embodiments of the presentdisclosure have various advantages. Embodiments of the presentdisclosure acquire a routing path from a user to a server when the userlogs in the server. The server also extracts routing characteristicinformation of a corresponding user from the routing path. A currentlylogged-in critical path may be obtained based on routing characteristicinformation of current login of a user, and the current critical path iscompared with a critical path that is previously frequently logged in bya corresponding user based on server records. Thus, the server may beable to identify whether the current login of the user is a non-locallogin. This may be an auxiliary mechanism for user identity confirmationbased on path reputation between a user machine and a login server. Themechanism allows the login server to identify whether the current loginaccount is suspicious of theft and is capable of providing a relativelyaccurate risk control means. Meanwhile, embodiments of the presentdisclosure may obtain traffic information of a router between a user anda server, and may provide a true position of the user more carefully.Accordingly, the present disclosure may reduce influence of an IPaddress change on user risk identification, reduce the error rate ofrisk user identification, and identify geographic position moreaccurately.

This Summary is not intended to identify all key features or essentialfeatures of the claimed subject matter, nor is it intended to be usedalone as an aid in determining the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

The Detailed Description is described with reference to the accompanyingfigures. The use of the same reference numbers in different figuresindicates similar or identical items.

FIG. 1 is a flow chart of an illustrative process for determiningcredibility of online identities.

FIG. 2 is a schematic diagram of an illustrative computing architecturethat enables user risk identification.

DETAILED DESCRIPTION

The present disclosure is further described below in detail withreference to the drawings and embodiments.

Embodiments of this present disclosure include acquiring a routing pathfrom a user to a server when the user logs in the server, and extractrouting characteristic information of a corresponding user from therouting path. A currently logged-in critical path may be obtained basedon routing characteristic information of a current login of a user, andthe current critical path is compared with a critical path that ispreviously frequently logged in by a corresponding user in serverrecords to identify whether the current login of the user is non-locallogin.

FIG. 1 is a flow chart of an illustrative process for determiningcredibility of online identities. At 102, a server may acquire a routingpath logged in by a user based on login information of the user. In someembodiments, the login information of the user may include informationof a client terminal where the user initiates a login request andinformation of a server which receives the login request. In someinstances, a message may be transferred from a client terminal to aserver via a multistage router, and a message channel connected byvarious stages of routers may form a routing path logged in by a user.

In some embodiments, the server may acquire the routing path by sendinga routing discovery message to the client terminal by the server,receiving routing node information hop-by-hop by a router receiving therouting discovery message, and collecting the routing node informationby the server to form a routing path that is currently logged in by theuser.

In some embodiments, a path collection application program may bedeployed at a server. When a login request that is submitted from aclient terminal by a user is received, the path collection applicationprogram may be initiated and connected to a network to send an InternetControl Message Protocol (ICMP) routing discovery message to the clientterminal. A router receiving the message may provide feedback routingnode information hop-by-hop. The routing path that is currently loggedin by the user may be formed immediately after the path collectionapplication program collects the hop-by-hop routing node information.

In some embodiments, the server may acquire the routing path by sendinga routing discovery message to the server by the client terminal,feeding back routing node information hop-by-hop by a router receivingthe routing discovery message, and collecting the routing nodeinformation by the client terminal to form a routing path that iscurrently logged in by the user.

In some embodiments, a path collection application program may bedeployed at a client terminal; when a user submits a login request, thepath collection application program is initiated and connected to anetwork to send an ICMP routing discovery message to the server. Arouter receiving the message may provide feedback routing nodeinformation hop-by-hop. The routing path that is currently logged in bythe user may be formed immediately after the path collection applicationprogram collects the hop-by-hop routing node information.

At 104, the server may extract routing characteristic information fromthe routing path logged in by the user. The server may extract therouting characteristic information by extracting information of a keyrouter from the routing path logged in by the user, wherein theinformation of the key router is information of a router with trafficgreater than a preset threshold, and organizing the information of thekey router to form routing characteristic information.

At 106, the server may identify whether the current login is suspiciousbased on the routing characteristic information. In some embodiments,the server may identify by querying historical routing characteristicinformation corresponding to the user identity, and comparing whetherthe historical routing characteristic information and the currentrouting characteristic information are the same. If the historicalrouting characteristic information and the current routingcharacteristic information are not the same, the server may determinethat the login is suspicious.

In some embodiments, the routing characteristic information of currentlogin of a user may be compared with preceding historical routingcharacteristic information of a corresponding user to view whether acritical path therein is consistent with a critical path in trustedrouting characteristic information that is frequently used by the user.If there is a critical path, the server may determine that no non-locallogin occurs and the login is not at risk. But if there is no criticalpath, the server may determine that non-local login occurs and the loginis suspicious.

The trusted routing characteristic information may be generated byvarious ways. For example, the trusted routing characteristicinformation may include a routing path used when an account isregistered, and a routing path certified by strong identityauthentication. In these instances, the strong identity authenticationmay include answering of an authentication question, confirmation of aclient via telephone communication, and so on.

There may be more than one routing path frequently used by a user. Forexample, the user may access the Internet at an office, at home, via amobile phone, and etc. Accordingly, there may be multiple critical pathsin the trusted routing characteristic information to ensure morereliable and user friendly.

In some embodiments, the login information of the user also may includea machine identity. In these instances, the server may identify whetherthe current login is suspicious based on the routing characteristicinformation by presetting a legal correspondence table of a machineidentity and a user class, wherein the user class is a cluster of theuser identity with the same path characteristic information. Then, theserver may determine whether the user identity and the machine identityare present in the correspondence table of the machine identity and theuser class. If the user identity and the machine identity are notpresent, the server may determine that the login is suspicious.

In some embodiments, a legal correspondence table of a machine identityand a user class (e.g., a group of the user identity with the samerouting characteristic information) may be set at a server. When a loginrequest of a user is received, identity of a login client terminaland/or identity of a login server (machine identity) and user identityof current login may be compared with the legal correspondence table ofthe machine identity and the user class. If the correspondingrelationship between the machine identity and the user identity of thecurrent login is present in the legal correspondence table, the servermay determine that the user does not log in non-locally and thereforethe login is not at risk. Otherwise, the server may determine that theuser logs is non-locally and therefore is suspicious.

The process to build a network router is sometime complicated and alsohas relatively expensive. A common network operator may not easilychange a critical routing path. Under conventional technologies, anetwork operator changes its own IP address pool, and especially IPaddress allocation among cities. Compared with the conventionaltechnologies, the technologies in the present disclosure for determiningwhether an account is logged in non-locally based on a critical routingpath may more accurately determine that a login is suspicious.

In addition, under the conventional technologies, a determination of anaccount login address via a user identity may be inaccurate amongcities. For example, a third party using a stolen account may use anetwork proxy server in the same city that the legitimate user used tolog in. In this instance, the conventional technologies may not detectthat the account is logged in non-locally. But an auxiliary mechanismdescribed in this disclosure confirms user identities based on pathreputation between a user machine and a login server. This allows thelogin server to effectively identify whether the current login accountis at risk (e.g., stolen), and therefore provides more accurate riskcontrol.

In order to facilitate those skilled in the art to better understand thepresent disclosure, the present disclosure is further described usingsome embodiments below. In some embodiment, a user with a user identity(e.g., 2012) may send a login request to a server of a website A via aclient terminal of the website A. The server of the website A maycomplete login of the user in response to the request and generate logininformation of the user based on Cookies returned by the client terminalof the website A.

The server of the website A may initiate a path collection applicationprogram to send an ICMP routing discovery message to a login server. Thepath collection application program may directly return hop-by-hoprouter information passed by the discovery message to the server afterreceiving the information. The hop-by-hop router information may beanalyzed, and the user identity 2012 may be marked to acquire a routingpath logged in by the user and to return the routing path to the server.

The server of the website A may analyze routing information of eachrouting node in the routing path logged in by the user to extract arouter with a traffic reaching a traffic preset value as a key router. Acritical path may be generated based on the key router and marked withthe user identity 2012 to generate path characteristic information ofcurrent login of the user. Historical routing characteristic informationof last login of 2012 may be extracted from records of the server of thewebsite A, and comparison may be made whether a key router of thehistorical routing characteristic information is the same as that of thepath characteristic information of the current login.

If multiple key routers are found to be different in the historicalrouting characteristic information and the path characteristicinformation of the current login of the user 2012, the server maydetermine that a corresponding account of the user 2012 is at the riskof non-local login.

It should be noted that, for simplicity, some embodiments are expressedas a combination of a series of actions, but those skilled in the artshould know that the present disclosure is not limited by the describedaction sequence. Some steps may be performed in other sequences orsimultaneously based on the present disclosure.

FIG. 2 is a schematic diagram of an illustrative computing architecturethat enables user risk identification. The computing device 200 may be auser device or a server for a multiple location login control. In oneexemplary configuration, the computing device 200 may include one ormore processors 202, input/output interfaces 204, network interface 206,and memory 208.

The memory 208 may include computer-readable media in the form ofvolatile memory, such as random-access memory (RAM) and/or non-volatilememory, such as read only memory (ROM) or flash RAM. The memory 208 isan example of computer-readable media.

Computer-readable media includes volatile and non-volatile, removableand non-removable media implemented in any method or technology forstorage of information such as computer readable instructions, datastructures, program modules, or other data. Examples of computer storagemedia include, but are not limited to, phase change memory (PRAM),static random-access memory (SRAM), dynamic random-access memory (DRAM),other types of random-access memory (RAM), read-only memory (ROM),electrically erasable programmable read-only memory (EEPROM), flashmemory or other memory technology, compact disk read-only memory(CD-ROM), digital versatile disks (DVD) or other optical storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other non-transmission medium that maybe used to store information for access by a computing device. Asdefined herein, computer-readable media does not include transitorymedia such as modulated data signals and carrier waves.

Turning to the memory 208 in more detail, the memory 208 may include arouting path acquisition module 210 configured to acquire a routing pathlogged in by a user based on login information of the user, a currentpath extraction module 212 configured to extract current routingcharacteristic information from the routing path logged in by the user,and a risk judgment module 214 configured to identify whether thecurrent login is suspicious based on the current routing characteristicinformation.

In some embodiments, the login information of the user may includeinformation of a client terminal where the user initiates a loginrequest and information of a server which receives the login request. Insome embodiments, information may be transferred from a client terminalto a server via a multistage router, and a message channel connected byvarious stages of routers may form a routing path logged in by a user.

In some embodiments, the routing path acquisition module 210 may includea routing discovery message sending sub-module at the server configuredto send a routing discovery message to the client terminal, and acollection sub-module configured to collect routing node information fedback hop-by-hop by a router receiving the routing discovery message, anda path generation sub-module configured to generate a currentlylogged-in routing path corresponding to the user identity. Thesesub-modules may be located on the server.

In some embodiments, a path collection application program may bedeployed at a server. When a login request that is submitted from aclient terminal by a user is received, the path collection applicationprogram may be initiated and connected to a network to send an ICMProuting discovery message to the client terminal. A router receiving themessage may provide feedback routing node information hop-by-hop. Therouting path that is currently logged in by the user may be formedimmediately after the path collection application program collects thehop-by-hop routing node information.

In some embodiments, the routing path acquisition module 210 may includea routing discovery message sending sub-module configured to send arouting discovery message to the server. The routing path acquisitionmodule 210 may also include a collection sub-module configured tocollect routing node information fed back hop-by-hop by a routerreceiving the routing discovery message, and a path generationsub-module configured to generate a currently logged-in routing pathcorresponding to the user identity. These sub-modules may be located inthe client terminal.

In some embodiments, a path collection application program may bedeployed at a client terminal; when a user submits a login request. Thepath collection application program may be initiated and connected to anetwork to send an ICMP routing discovery message to the server. Arouter receiving the message may provide feedback routing nodeinformation hop-by-hop. The routing path that may be currently logged inby the user may be formed immediately after the path collectionapplication program collects the hop-by-hop routing node information.

In some embodiments, the current path extraction module 212 may includea user login routing path extraction sub-module configured to extractinformation of a key router from the routing path logged in by the user,wherein the information of the key router is information of a routerwith a traffic greater than a preset threshold, a key router informationformation sub-module configured to organize the information of the keyrouter to form current routing characteristic information, and a riskjudgment module configured to identify whether the current login issuspicious based on the current routing characteristic information.

In some embodiments, the risk judgment module 214 may include a useridentity query sub-module configured to query historical routingcharacteristic information corresponding to the user identity, and arouting characteristic information comparison module configured tocompare whether the historical routing characteristic information andthe current routing characteristic information are the same. If thehistorical routing characteristic information and the current routingcharacteristic information are not the same, the server may determinethat the user login is suspicious.

In some embodiments, routing characteristic information of current loginof a user may be compared with preceding historical routingcharacteristic information of a corresponding user to view whether acritical path therein is consistent with a critical path in a trustedrouting characteristic information that is frequently used by the user.If a critical path therein is consistent with a critical path in atrusted routing characteristic information that is frequently used bythe user, the server may determine that no non-local login occurs andthe user is not at risk. Otherwise, the server may determine thatnon-local login occurs, and therefore the user login is suspicious.

The trusted routing characteristic information may be generated byvarious ways. In some embodiments, a routing path may be used when anaccount is registered, and a routing path may be certified by identityauthentication. In these instances, the strong identity authenticationmay include answering of an authentication question, confirmation of aclient via telephone communication, and so on.

There may be more than one routing path frequently used by a user (e.g.,an office, home, mobile phone, and etc). Thus, there also may bemultiple critical paths in the trusted routing characteristicinformation to ensure more reliable and humane judged results.

In some embodiments, the login information of the user may also includea machine identity; and the risk judgment module 214 may include a useridentity clustering sub-module configured to preset a legalcorrespondence table of a machine identity and a user class, wherein theuser class is a cluster of the user identity with the same pathcharacteristic information, and a user identity and machine identityjudgment sub-module configured to determine whether the user identityand the machine identity are present in the legal correspondence tableof the machine identity and the user class. If the user identity and themachine identity are not present, the server may determine that the userlogin is suspicious.

In some embodiments, an authorized correspondence table of a machineidentity and a user class (e.g., a cluster of the user identity with thesame routing characteristic information) may be set at a server. When alogin request of a user is received, identity of a login client terminaland/or identity of a login server (e.g., machine identity) and a useridentity of a current login may be compared with the authorizedcorrespondence table of the machine identity and the user class. If thecorresponding relation between the machine identity and the useridentity of the current login is present in the legal correspondencetable of the machine identity and the user class, the server maydetermine that the user does not log in non-locally and is notsuspicious. Otherwise, the user is considered to log in non-locally, andthus the login is suspicious.

Reference may be made to relevant descriptions of the above-describedembodiments; details are not repeated herein. Those skilled in the artshould understand that the embodiments of the present disclosure may beprovided as a method, a system or a computer program product.Accordingly, the present disclosure may employ an entirely hardwareembodiment, an entirely software embodiment, or a form of an embodimentcombining software and hardware aspects. Moreover, the presentdisclosure may be a form of a computer program product implemented onone or more computer available storage media (including but not limitedto a disk memory, a CD-ROM, an optical memory, etc.) which comprisecomputer available program codes.

The present disclosure is described with reference to a flow chartand/or a block diagram of a method, an apparatus (system) and a computerprogram product based on an embodiment of the present disclosure. Itshould be understood that each process and/or box in a flow chart and/ora block diagram and a combination of processes and/or boxes in a flowchart and/or a block diagram may be realized by computer programinstructions. These computer program instructions may be provided to aprocessor of a general-purpose computer, a special-purpose computer, anembedded processor or other programmable data processing equipment toproduce a machine such that the instructions executed by a processor ofa computer or other programmable data processing equipment may produce adevice for realizing functions designated in one or more processes in aflow chart and/or one or more boxes in a block diagram.

These computer program instructions also may be stored in acomputer-readable memory that may guide a computer or other programmabledata processing equipment to work in an ad hoc fashion such that theinstructions stored in the computer-readable memory may produce amanufactured product including an instruction device, wherein theinstruction device may realize functions designated in one or moreprocesses in a flow chart and/or one or more boxes in a block diagram.

These computer program instructions also may be loaded onto a computeror other programmable data processing equipment such that a series ofoperation steps may be executed on a computer or other programmableequipment to produce processing realized by a computer, thereby theinstructions executed on a computer or other programmable equipment mayprovide steps for realizing functions designated in one or moreprocesses in a flow chart and/or one or more boxes in a block diagram.

Although the embodiments of the present disclosure have been described,once those skilled in the art know the basic creative concept,additional variations and modifications may be made to theseembodiments. Accordingly, the appended claims are intended to beconstrued as including the embodiments as well as all variations andmodifications that fall within the scope of the present disclosure.

A detailed introduction has been made above to methods and devices foridentifying risk of a user login as provided by the present disclosure.Examples are applied herein to explain the principles and embodiments ofthe present disclosure, and the description of the above embodiments isonly used for the purpose of assisting in understanding the method ofthe present disclosure and its core ideas; meanwhile, those of ordinaryskill in the art may make changes in terms of particular embodiments andapplication scopes based on the ideas of the present disclosure. Insummary, the contents of the specification shall not be interpreted aslimiting the present disclosure.

The embodiments are merely for illustrating the present disclosure andare not intended to limit the scope of the present disclosure. It shouldbe understood for persons in the technical field that certainmodifications and improvements may be made and should be consideredunder the protection of the present disclosure without departing fromthe principles of the present disclosure.

What is claimed is:
 1. A method comprising: receiving, by a server,login information of a user; acquiring a routing path based on the logininformation of the user; extracting routing characteristic informationfrom the routing path; and determining a risk associated with the userbased on the routing characteristic information.
 2. The method of claim1, wherein the login information of the user includes a user identity,information of a client terminal on which the user initiates a loginrequest, and information of the server.
 3. The method of claim 2,wherein the acquiring the routing path based on the login information ofthe user comprises: sending, by the server, a routing discovery messageto the client terminal; determining routing node information usinghop-by-hop routing corresponding to the routing discovery message; andgenerating the routing path based on the routing node information. 4.The method of claim 3, wherein the acquiring the routing path based onthe login information of the user comprises: receiving, by the server,the routing discovery message from a client terminal; determiningrouting node information using hop-by-hop routing corresponding to therouting discovery message; and generating the routing path based on therouting node information.
 5. The method of claim 1, wherein theextracting routing characteristic information from the routing pathcomprises: extracting information of a key router from the routing path;and generating the routing characteristic information based on theinformation of the key router.
 6. The method of claim 5, wherein theinformation of the key router includes information of a router having anamount of traffic greater than a preset threshold.
 7. The method ofclaim 1, wherein the determining the risk associated with the user basedon the routing characteristic information comprises: retrievinghistorical routing characteristic information corresponding to the user;and determining the risk by comparing the historical routingcharacteristic information with the routing characteristic information.8. The method of claim 1, wherein the login information of the userincludes a machine identity, and the determining the degree of riskassociated with the user based on the routing characteristic informationcomprises: presetting one or more correspondences between a machineidentity and a user class that includes multiple users each having thepath characteristic information; and determining the risk associatedwith the user based on the one or more correspondences.
 9. A systemcomprising: one or more processors; and memory to maintain a pluralityof components executable by the one or more processors, the plurality ofcomponents comprising: a routing path acquisition module configured to:receive login information of a user, and acquire a routing path based onthe login information of the user, a current path extraction moduleconfigured to extract routing characteristic information from therouting path, and a risk judgment module configured to determining arisk associated with the user based on the routing characteristicinformation.
 10. The system of claim 9, wherein the login information ofthe user includes a user identity, information of a client terminal onwhich the user initiates a login request, and information of a serverassociated with the system, and the acquiring the routing path based onthe login information of the user comprises: sending a routing discoverymessage to the client terminal; determining routing node informationusing hop-by-hop routing corresponding to the routing discovery message;and generating the routing path based on the routing node information.11. The system of claim 10, wherein the acquiring the routing path basedon the login information of the user comprises: receiving the routingdiscovery message from a client terminal; determining routing nodeinformation using hop-by-hop routing corresponding to the routingdiscovery message; and generating the routing path based on the routingnode information.
 12. The system of claim 9, wherein the extractingrouting characteristic information from the routing path comprises:extracting information of a key router from the routing path; andgenerating the routing characteristic information based on theinformation of the key router.
 13. The system of claim 12, wherein theinformation of the key router includes information of a router having anamount of traffic greater than a preset threshold.
 14. The system ofclaim 9, wherein the determining the risk associated with the user basedon the routing characteristic information comprises: retrievinghistorical routing characteristic information corresponding to the user;and determining the risk by comparing the historical routingcharacteristic information with the routing characteristic information.15. The system of claim 9, wherein the login information of the userincludes a machine identity, and the determining the degree of riskassociated with the user based on the routing characteristic informationcomprises: presetting one or more correspondences between a machineidentity and a user class that includes multiple users each having thepath characteristic information; and determining the risk associatedwith the user based on the one or more correspondences.
 16. One or morecomputer-readable media storing computer-executable instructions that,when executed by one or more processors, instruct the one or moreprocessors to perform acts comprising: receiving login information of auser; acquiring a routing path based on the login information of theuser; extracting routing characteristic information from the routingpath; and determining a risk associated with the user based on therouting characteristic information.
 17. The one or morecomputer-readable media of claim 16, wherein the login information ofthe user includes a user identity, information of a client terminal onwhich the user initiates a login request, and information of a server,and the acquiring the routing path based on the login information of theuser comprises: sending, by the server, a routing discovery message tothe client terminal; determining routing node information usinghop-by-hop routing corresponding to the routing discovery message; andgenerating the routing path based on the routing node information. 18.The one or more computer-readable media of claim 17, wherein the routingdiscovery message is an Internet Control Message Protocol (ICMP)discovery message.
 19. The one or more computer-readable media of claim18, wherein the routing node information is associated with one or morenodes, and traffic of an individual node of the one or more nodes isgreater than a predetermined value.
 20. The one or morecomputer-readable media of claim 16, wherein the determining the degreeof risk comprising determining the degree of risk by comparing therouting node information and particular routing node information that isrecorded within a predetermined time period.